Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/12/2024, 21:09
Static task
static1
Behavioral task
behavioral1
Sample
13ba8f7cd3d335bead19272aa29180bf87eda84460f99f206aac051ee690c1fe.exe
Resource
win7-20240903-en
General
-
Target
13ba8f7cd3d335bead19272aa29180bf87eda84460f99f206aac051ee690c1fe.exe
-
Size
33KB
-
MD5
174cc65b52d2712abb4fd785354d8edb
-
SHA1
a2f05506daa6e297ff362062c60c37a69ffdd646
-
SHA256
13ba8f7cd3d335bead19272aa29180bf87eda84460f99f206aac051ee690c1fe
-
SHA512
2b4659652db9a83b58eb0b1067a6251be0e3ac6705730f662898b9068499467fe4c08e4fe4112f1c06a4369a5cad91a197abddb546998c6ef4e58bb13e13e96b
-
SSDEEP
768:BfVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7DB:BfVRztyHo8QNHTk0qE5fslvN/956qQ
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 2 IoCs
pid Process 4000 omsecor.exe 1976 omsecor.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 13ba8f7cd3d335bead19272aa29180bf87eda84460f99f206aac051ee690c1fe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4240 wrote to memory of 4000 4240 13ba8f7cd3d335bead19272aa29180bf87eda84460f99f206aac051ee690c1fe.exe 83 PID 4240 wrote to memory of 4000 4240 13ba8f7cd3d335bead19272aa29180bf87eda84460f99f206aac051ee690c1fe.exe 83 PID 4240 wrote to memory of 4000 4240 13ba8f7cd3d335bead19272aa29180bf87eda84460f99f206aac051ee690c1fe.exe 83 PID 4000 wrote to memory of 1976 4000 omsecor.exe 101 PID 4000 wrote to memory of 1976 4000 omsecor.exe 101 PID 4000 wrote to memory of 1976 4000 omsecor.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\13ba8f7cd3d335bead19272aa29180bf87eda84460f99f206aac051ee690c1fe.exe"C:\Users\Admin\AppData\Local\Temp\13ba8f7cd3d335bead19272aa29180bf87eda84460f99f206aac051ee690c1fe.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1976
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD5a4fcfa664f1ba24d259c915ecc6884fd
SHA1f87fa0f73b903dd0310db2c813636f336cd461ab
SHA25694902a788741be27fbd662221514b6de67cc1b313bd101dfbb96f2e354adf19c
SHA512f4ce6cadef1cecc37b670f637dbb0897b0c9a1dab7c9751e24a3daea22a4e9a2abe7a6611495702c95360f9634a12175174fd049f5cbd12fa49b123d021adf4f
-
Filesize
33KB
MD5bede355e014cae90b0387c09b671d977
SHA1edb207f86ed8b8e8fed75254e84e95d620a6c6b3
SHA256ac5d154f3a3b7c7c45707e6055b21d175fee492d147b337b7a4903a1a235cc51
SHA5123fd4cf07c0d0b6b94cc954e3bf4e7b1bb1113d004ca48300ad79ce8ae4944aea7ced50b351eaa0b250422c9d2c1779cb10816ab4f83bd8a608a9a43af3eed965